Protection against the critical Magento “Shoplift” security bug

Researchers recently found a critical security bug in the widely used Magento e-commerce shopping cart software. If you use this software and don’t update it to fix the bug, “hackers” can easily take over your site, including potentially stealing the credit card numbers of your customers.

We’ve analyzed the Magento software our customers have installed and found that more than half is unpatched, despite the Magento team sending e-mail notices to Magento users in February.

“Hackers” are now beginning to exploit the bug. Because this is so dangerous, we yesterday added security rules to block these attacks even if you haven’t updated.

Although we’re confident that these rules block the current attacks (we’ve seen it block several live attacks, and it makes sites we host pass the useful Shoplift bug tester), you should still patch your site if you use Magento: using outdated versions of e-commerce software is always dangerous.

Can I see the mod_security rules?

Although our customers are protected, we’re often asked to share our mod_security rules when we post something like this. If you’re the technical person running a server for other people who use unpatched Magento software, these rules should stop the attacks:

SecRule REQUEST_LINE "/cms_wysiwyg/" "deny,auditlog,chain"
SecRule &ARGS:forwarded "!@eq 0" "chain"
SecRule &ARGS:filter "!@eq 0" "chain"
SecRule &ARGS:___directive "!@eq 0"

This blocks requests to the “Cms_Wysiwyg” controller that include the “forwarded” parameter that allows the bug to be exploited.